squid random outgoing ip/interface selection

If you want to configure squid 2.7 or newer load balance several in random or round-robin fashion outgoing connections or IP addresses in a random manner – here is how you can do it:

It can be done but unfortunately it is not as easy as setting “balance_on_multiple_ip on” in squid.conf. This option would load balance multiple IP addresses of remote servers – not your outgoing addresses. If you type “nslookup google.com”, you will see that Google uses multiple IP addresses for this domain: 74.125.155.99 74.125.155.105 74.125.155.106 74.125.155.147 74.125.155.103. With “balance_on_multiple_ip on” squid will balance the load between these addresses.

Setting up squid for round robin outgoing network interface usage is based on the following fact: although squid can’t round-robin outgoing interfaces, it can round-robin parent proxy servers. So the solution is to configure squid as both child and parent and round-robin among its own parent instances while each parent instance is set-up to use specific outgoing interface.

In this sample configuration we’ll set up squid to accept client connections on 192.168.0.1 address and randomly use outgoing interfaces 10.0.0.1, 10.0.0.2 and 10.0.0.3. I use 10.0.0.x for demonstration reasons. In a real config these will most likely be replaced with public Internet IPs.

1) Configure squid to listen on all of these interfaces (config directive http_port). 192.168.0.1 will be used by users, while 10.0.0.x will be fake parent proxy servers that squid will connect to itself:

You can use myip instead of src here. At this point you can also start your squid server and make sure that the configuration indeed works. Set one of the outgoing interface addresses as your browser proxy and navigate to http://www.whatismyip.com/. You should always see the address of the interface that you use.

ACLs and cache_peer_access directives ensure that squid will not forward the request to itself infinitely by denying access to “parent” caches to requests that came from public interfaces. “never_direct” parameters are used to make sure that POST requests are distributed too.

At this point you can set 192.168.0.1:3128 as proxy server in you browser and make sure that each time that you connect random outoing interface is selected and that this outgoing interface periodically changes.

4) Additional things you can do:

Set up ACLs to prevent external users from accessing squid on public outgoing interfaces (you you can just use firewall to achieve the same effect)

You can use port number rather than interface to identify fake parent caches and thus avoid listening on outgoing interfaces altogether.

If you are setting up squid just for load balancing and request forwarding you can disable disk cache by using configuration directive: “cache_dir null /null” and therefore improve proxy performance.

Make anonymous proxy by using “header_access” and “forwarded_for off” directives

You can achieve similar effects by using “random” ACL that was introduced in squid 3.2. However if you are like me (running on Windows and too lazy to compile your own stuff), you only have access to Squid 3.0 binaries that don’t have this feature yet.

6 comments to squid random outgoing ip/interface selection

Thanks for a great writeup! One thing I’ve discovered with this setup is that Squid persistent connections disregard tcp_outgoing_address directive, so they need to be disabled to properly round-robin requests going to the same host:

I am trying to replicate this configuration with authentication, I have passed the login= options to the cache_peer directives. I am only able to exit the IPs that I enter in on. I do not seem to be able to completely replicate your configuration.